Description of problem: On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service. Reference: http://thread.gmane.org/gmane.linux.network/164869
ethtool_get_rxnfc() was introduced in v2.6.27-rc1 via: netdev: Add support for rx flow hash configuration, using ethtool. http://git.kernel.org/linus/0853ad66 v2.6.27-rc1 Also see, ethtool: Add RX pkt classification interface rxhash->rxnfc http://git.kernel.org/linus/59089d8d Only the niu (Neptune ethernet) driver uses this ioctl.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for the Neptune Ethernet driver. It did not affect Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG, as they do not contain the upstream commit 0853ad66 that introduced this flaw.
Patch is now upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=db048b69037e7fa6a7d9e95a1271a50dc08ae233
kernel-2.6.33.6-147.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.32.16-141.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Fixed upstream in 2.6.35, 2.6.34.2, 2.6.33.7 and 2.6.32.17
mrg-1.3 [bug #608952] mrg-1.3 is based on 2.6.33.7, so we already have this fix.